How are you protecting your Salesforce data against malicious or accidental updates?
As described throughout this three-part blog series, you can ensure your data stays protected by understanding your security risks and exposure and with some actionable steps that any Salesforce admin can do, such as implementing MFA, securing your community, implementing free code checks, carefully setting up user personas, and the like. In addition, with a well-defined data retention policy, you’ll be prepared if something goes wrong and your data is compromised.
Organizations with robust IT policies often miss the “last mile” to make them work in Salesforce. Our tips below will help bridge the gap and make company policy actionable in Salesforce.
We also have a resource, Salesforce Cybersecurity: Climbing the Mountain, to help your organization work towards (and maintain) a secure Salesforce environment. The collection of resources includes a policy checklist.
Review Your Organization’s General Policies
Privacy and Compliance
There are many rules and regulations around how Personally Identifiable Information (PII) and Severe Personally Identifiable Information (SPII) are stored and accessed.
This information must be only accessible to users who need it and only when they need it. Considerations such as a user’s persona (profile, role, and assigned permission sets) and your organization’s sharing settings and rules must be carefully weighed to guarantee secure information.
Tip: For an added cost, data can be encrypted, and fields and objects storing this data can be classified, giving users a clearer understanding of which information falls under these categories.
- Data Classification Metadata fields
- Setup Data Classification Metadata
- Setup Reports from Data Classification Metadata
Employee Churn
Employees come and go. It’s a best practice to have a policy for onboarding and offboarding users to your organization. Some best practices include:
User Persona Management
Identify a user’s persona to assign them to the appropriate profile, role, permission sets, and apps. These factors determine what users can see and do in Salesforce. However, too much access can compromise general company data and potentially sensitive data about users, customers, etc.
Documented Offboarding Process
Your organization should have a documented process for when a Salesforce user leaves.
- Users who haven’t been deactivated or frozen pose a severe risk. A plan for removing their Salesforce access, sometimes on short notice, should be in place to prevent inappropriate access, which can compromise your data in multiple ways.
- Don’t leave termed employees as active, but also know that admins and some higher-level officers may be attached to various automated processes in Salesforce.
Salesforce Permission Sets
Understand what all your Salesforce permission sets do. Confirm they’re assigned to only those who need them. Use clear names and descriptions, monitor assignments on the permission set, or view a user’s assignments from their record page.
Documented New Hire Salesforce Setup
If you require certain users to have assigned permission sets, have documentation for the new hire setup.
Permission sets are good for the concept of least privilege (only assign the access a user needs). But a lot of permission sets can create “Admin debt.” So it’s important to know that if a whole profile of users needs a permission, you can add it to the profile. Just know that specific permissions carry many risks, such as Export Reports.
Salesforce Admin Knowledge
All Salesforce admins at your organization should know when and how to appropriately assign profiles, permission sets, roles, groups, and what forms of access are part of sharing vs. field-level security.
Tip: Use a combination of sharing rules, object permissions, and field-level security to grant the appropriate access granularly.
General Monitoring
We recommend you gauge how you review what’s happening in your organization’s Salesforce. For example, do you review logins?
Login History
User logins can be tracked by navigating to Setup>Identity>Login History
This feature lets you see who is logging on (or attempting to) and provides details about how they’re doing it (see example below).
Setup Audit Trail
Setup Audit Trail can be downloaded, showing what different administrators have changed in your organization’s Salesforce. This is helpful in both debugging unexpected problems (“Why do I no longer see those fields? Oh, it’s because Bob removed them from the layout.”)
User Reports
Out of the box, Salesforce reports can help identify user information such as when they last logged in, how many times they’ve done so over a certain period, and the source IP address of a particular login. In addition to providing information about usage and adaptability, these reports allow you to track and monitor unusual trends, such as logins at odd times or irregular login frequencies (e.g., the same user logging in many times during non-business hours).
Field History Tracking
On most objects and fields, users have the option to track field history. When configured on a field, changes to the field are tracked for up to 18-24 months. The user who made the change is listed as well. Having this implemented is helpful in case data corrections are necessary or if you need a paper trail for change management.
Data Retention Policy
Data retention involves keeping and maintaining good-quality data. Several unfortunate events can cause shakeups to your data, whether it be data loss through record deletion or incorrect data updates due to automation going haywire; potential threats such as a data breach can also put your data at risk.
It’s good practice to have a data retention policy, particularly with an emphasis on data backup. While the Salesforce AppExchange offers products that help protect your data, the Data Export option in Setup is free. It allows you to manually export data at weekly or monthly intervals. In addition, you can schedule automatic weekly and monthly exports depending on your Salesforce edition.
Stay Informed on Security News
With rapid technological changes, keeping up with new security trends can be overwhelming. And with the increasing cleverness of hackers, it’s downright scary to think about all the potential risks. Yet vigilance is the way to go when keeping your Salesforce org secure. Following best practices and staying informed is the best way to prevent security issues.
Salesforce provides several frequently updated resources to help in this regard.
- Salesforce Security Guide
- Salesforce Release Notes
- Salesforce’s general security site, Trust
- Salesforce security resources
Additional Best Practices
Here’s a quick list of a few additional best practices for data protection:
- In public places, don’t leave your computer unoccupied.
- Even in the workplace, if you have to leave your desk, ensure your screen goes to sleep when there’s little activity.
- Don’t write down passwords on a note and leave them by your desk (can’t stress this enough).
- When providing users with access to Salesforce, err on being too restrictive. It’s better for your users to complain about lack of access rather than for you to face a lawsuit.
Conclusion
Without a doubt, security, privacy, and compliance within Salesforce are worth your attention. Following best practices, being vigilant, and staying updated on the latest security advances can protect your Salesforce org from external and internal threats.
Security protection can always be improved. Hopefully, this blog series gives you the information you need to help you understand how to protect your organization from everyday issues. Don’t forget to get your copy of Salesforce Cybersecurity: Climbing the Mountain!
Below are a few Salesforce Trailheads, where you can learn more about data security the fun way!
Red Argyle loves to talk about security and compliance (no, really). So reach out to see how we can help your organization with your data and Salesforce security.